Canadian businesses report increased knowledge of privacy issues, but little progress in implementing privacy policies or response plans for data breaches – placing them at risk for new enforcement activities and fines.
The Office of the Privacy Commissioner of Canada (“OPC“) recently commissioned a telephone survey of 1,016 Canadian companies to find out how Canadian businesses fare with their privacy knowledge and protections. The informative report on the survey, the 2015 Public Opinion Research with Canadian Businesses on Privacy-Related Issues, can be accessed here.
It turns out that while much has changed, much has also stayed the same. A summary of some of the highlights from the survey report is provided below.
Privacy Knowledge Increasing
There are a few notable areas where companies have improved in their knowledge of and compliance with privacy issues. For instance, companies are increasingly familiar with privacy legislation and have policies or procedures in place to assess privacy risks.
Now, more than ever, the majority of companies are at least “somewhat familiar” with their responsibilities under Canada’s privacy laws. Fifty-nine percent of business executives said their company has taken steps to ensure that it complies with the Personal Information Protection and Electronic Documents Act (PIPEDA), and the majority of these respondents said that they have not found compliance to be difficult.
In addition, the vast majority of companies now use tools to protect customer information such passwords, firewalls and encryption, more than the last survey conducted in 2013.
These findings suggest an increase in the general knowledge of privacy obligations and concerns, as well as some greater action on behalf of companies to protect customer information.
Privacy Compliance Lagging
There has been less improvement with respect to dealing with actual privacy data breaches. The OPC’s survey results show only a modest increase in the number of companies who have policies and procedures in place in case of an actual breach.
Moreover, less than half of respondents reported having privacy policies to inform customers about what kind of personal information they collect and how the information is used.
Finally, the number of respondents who said their company is “highly aware” of its responsibilities under Canada’s privacy laws is virtually unchanged from 2013.
These trends should change more readily particularly given the OPC’s now broader powers to enforce and penalize for privacy violations (click here for more details).
Offering A Solution
Knowing one’s obligations and having the tools to promote and protect privacy, and effectively deal with data breaches should they occur, is increasingly essential. McCarthy Tétrault has developed processes and tools that can help companies minimize the risk of enforcement and fines by improving their compliance with data breach requirements, including pending mandatory breach notification and record-keeping provisions: http://www.mccarthy.ca/digital_privacy_act.aspx.